Kali Linux is not one of the officially supported distros by the ZeroTier installer script, so if you just try to use it you will get an error message along the lines of:
FAILED: unrecognized or ancient distribution: kali-rolling
Kali Linux is based on Debian testing, so we can just “trick” the ZeroTier install script into thinking it’s Debian and it installs just fine:
# save /etc/debian-version
# (which will be something like kali-rolling)
DV_SAVE=$(cat /etc/debian_version)# pretend we're Debian buster
echo buster | sudo tee /etc/debian_version >/dev/null# follow ZeroTier install instructions from:
# for example, if you don't care about checking gpg signatures:
curl -s https://install.zerotier.com | sudo bash# restore /etc/debian-version
echo $DV_SAVE | sudo tee /etc/debian_version >/dev/null
This article is a result of playing SANS NetWars Continuous level 5 (attack/defense) for several weeks. When you get access to opponent’s machine, it is highly desirable to leave backdoors that allow you to get back in once your access is blocked. Below, I’m describing some of the techniques I’ve used for persistence purposes. The techniques, albeit effective, are very simple, mostly use the features of the OS and services, and do not cover any advanced topics like rootkits.
This is useful if you can access SSH service on the machine. SSH keys are a secure and convenient way to…
I’ve been experimenting with xxelab (https://github.com/jbarone/xxelab), a simple PHP web app demonstrating XXE attacks, trying to replicate code execution through
expect:// PHP wrapper. (Shameless plug — my recently submitted pull request allows you to run xxelab in a Docker container). This technique is well described in a number of articles on the Internet, for example here:
The idea is that you provide a reference to
expect://id pseudo URI for the XML external entity, and PHP will execute
id and return the output of the command for external entity substitution.
Turns out it was quite a lot of…
I was recently configuring Docker on a machine that didn’t have direct access to the Internet and had to use proxy for outbound connectivity, and it turned out to be a non-trivial task. All of this info is scattered around the Internet, I’m just bringing it all together. Here’s the steps to get everything working:
This article has been written for Ubuntu Linux and might need tweaking for other distros.
On occasion you need to listen for incoming connections and interact with the data being sent by the client. Most simple way might be with netcat (12345 is the port number to listen to):
$ nc -lvnp 12345
-l for listen,
-v for verbose, this will let you know once a connection is received,
-n tells netcat not to resolve host and port names,
-p indicates the port to listen on)
When you need to accept a TLS/SSL connection, things get a bit more complicated as regular netcat doesn’t support it.
nmap includes a version of netcat called ncat that…
I just released cms2cmd, a CMS plugin that can be used with Drupal 7, Drupal 8, Joomla and Wordpress as a simple command execution mechanism.
Occasionally during a CTF (or a pen test?) you might gain admin access to a CMS, which in most configurations gives you RCE. cms2cmd is a clean (i.e. no need to change templates or otherwise “break” the CMS instance) and simple command execution plugin that works for a number of various CMS systems (current version has been tested on Drupal 7, Drupal 8, Joomla 3.x, and Wordpress 3.9.x).
The same mod_cmd.zip file is recognized as…
To connect to a database, Java applications usually use JDBC framework. Part of the framework is JDBC drivers, that are usually supplied by the DMBS vendor. Applications would often require administrator to download the needed JDBC driver separately due to the licensing restrictions not allowing the software vendor to redistribute the driver with their software.
Some software would allow administrator to upload the JDBC driver through the UI to make the configuration process easier. The software then places the driver into the appropriate directory so it can be used at runtime. By doing that, the application essentially allows upload of…
I like seeing CPU load on my boxes, so pretty much all of them have some sort of CPU load gadget enabled on startup. I noticed every time I have to configure this on a Kali box I’m struggling to remember the package names for what I have to install, so having done it today I decided to do a write this so I don’t have to struggle next time.
It’s fairly simple, really:
gnome-shell-extension-system-monitorpackage (doesn’t require addition of PPA compared to
# apt update
# apt install gnome-shell-extension-system-monitor
tweaksto search for it).
System-monitor, click on the gear and set your preferences.
Let’s tackle the Protostar Format 4 challenge from Exploit Exercises (https://exploit-exercises.com/protostar/format4/). This is a detailed step-by-step walkthrough explaining all the tools and techniques needed — we’ll be writing a format string exploit.
Here’s the source code for the challenge,
#include <string.h>int target;void hello()
printf("code execution redirected! you win\n");
char buffer; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1);
}int main(int argc, char **argv)
The program reads a string from the standard input and passes it to printf. …
Having previously tackled the last stack challenge in Protostar from Exploit Exercises (https://medium.com/@airman604/protostar-stack7-walkthrough-2aa2428be3e0), we’re now switching to the last heap challenge (https://exploit-exercises.com/protostar/heap3/).
Here’s the source code for the Protostar Heap 3 challenge:
#include <stdio.h>void winner()
printf("that wasn't too bad now, was it? @ %d\n", time(NULL));
}int main(int argc, char **argv)
char *a, *b, *c; a = malloc(32);
b = malloc(32);
c = malloc(32); strcpy(a, argv);
strcpy(c, argv); free(c);
free(a); printf("dynamite failed?\n");
The goal is to call the
winnder() function. As
strcpy is used, it…